On Mon, May 19, 2003 at 08:38:56AM +0000, Andr?s Rold?n wrote: > Hi list. > > I am the CSO of a company and I am going to install several Debian woody > machines with a kernel patched with grsecurity. Theses servers will be > critical production-ready machines. The question is, what should I have > to be aware of by compiling this kernel and what should I do to ensure > a stability in those servers? >
I believe there was a recent thread on grsecurity, although it may have been over on Debian-isp instead. Anywho... Your asking the question of 'what should I have to be aware of by compiling this kernel and....' leads me to ask 'Well, what exactly are you doing with the servers and what do you need protection from?' Some of the major questions that spring to my mind are: - Will there be other 'users' on the systems? Or are they just servers to be used by 'trusted' employees? - If $USERS=1, then what are the users allowed to do? Why are they on the system in the first place? Just to update web files? Compile programs? - IF $USERS=0, then you have less to worry about, unless you're planning to run your daemons as restricted users. And if you will do that, you need to be aware that some of those daemon/users will not have access to some of the things they might WANT or NEED in order to run as they normally do. You may have to recompile those daemons from source in order to make them behave properly in this new environment. - Will the server be on the Internet? Behind a firewall? With ipchains? You can go from the simple "only run what services/daemons are necessary and keep up on security patches" all the way up to "EVERYONE IS OUT TO GET ME AND HACK ME! AND THE PEOPLE ON THE MAILING LIST ARE DOING IT NOW!" level of paranoia (sorry for the yelling, but it's needed for the effect of insane raving). You really need to define your goals of what the servers will be used for and who will be using the servers in order to decide how to best use grsecurity. Just looking at the number of lines in my kernel config that have "GRK" in them indicates that there's 47 options available for grsecurity. Each one of those options needs to be examined and you'd need to know what it does and decide whether you really need it, whether you simply want it and mostly (on multiuser server) whether those adjustments would be received by your user base as acceptable to how they do things. I hope that I've given some direction as to the questions I'd be asking myself under similar circumstances and that my reply doesn't sound simply as though it's a 'non-answer linux support answer' which we all sometimes receive or send. I've been running grsecurity for a while now, previously having used it when it was simply 'openwall' - or was it 'smoothwall' , I get em confused. I think openwall. Without taunting the server pixies, I've had good luck with it and haven't had an outage due to kernel issues at all. A wayward SCSI drive cause my last troubles and have resulted in the number 140 as indicated below instead of something like 440. $ uptime 17:33:17 up 140 days, 18:32, 4 users, load average: 0.87, 0.88, 0.96 Some other servers running similar bits of patched kernels for security, mostly from multiuser systems that might have prying eyes: 1:33pm up 199 days, 18:19, 1 user, load average: 0.28, 0.22, 0.18 13:35:15 up 171 days, 4:19, 1 user, load average: 0.01, 0.00, 0.00 1:35pm up 171 days, 4:22, 1 user, load average: 0.08, 0.02, 0.01 13:35:52 up 171 days, 4:25, 4 users, load average: 0.08, 0.05, 0.01 Hope this helps... -- ================================================== + It's simply not | John Keimel + + RFC1149 compliant! | [EMAIL PROTECTED] + + | http://www.keimel.com + ==================================================
